Index: [thread] [date] [subject] [author]
  From: David Harris <dharris@drh.net>
  To  : <imapvpop@davideous.com>
  Date: Tue, 11 Jan 2000 21:44:38 -0500

[background03] first run it with getpwnam replacement 1 of 2

A number of people have hacked virtual user support into imapd by linking in
a getpwman replacement. This is horribly insecure if you don't properly hack
uw-imap to restrict each user to their "virtual" home directory.

Here is my first run-in with someone using this kind of a hack.

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	David Harris [mailto:dharris@drh.net]
Sent:	Thursday, December 02, 1999 1:56 PM
To:	Darcy Buskermolen
Subject:	RE: Any Decent IMAP server? [single-uid interface]


Ok. That works. Your password checking setup in imapd must be just grabbing
the encoded password from getpwnam and checking it with crypt itself. So, to
apply this I'd have to compile imapd without PAM and without shadowed
passwords and then it would work.

Also, this does not have support for also logging in standard UNIX users
along with virtual users, does it?

Another issue: I believe that imapd allows you to specify the folder path
and get out of your home directory if you are a regular user. When you set
the blackBox user flag you are no longer allowed to do this. I don't think
this patch sets the black box user flag, so users may be able to read each
other's mail with ".."s in mailbox names. Have you tried specifying
mailboxes with a ".." in the path? Look in
src/osdep/unix/env_unix.c:mailboxfile to see where this ".." checking is
done.

Also, because your users are not black box, this may attempt to look for a
/var/spool/mail/$USER file. Do you know what value
src/osdep/unix/env_unix.c:env_init sets for sysInbox?

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	Darcy Buskermolen [mailto:darcy@ok-connect.com]
Sent:	Thursday, December 02, 1999 12:59 PM
To:	David Harris
Subject:	RE: Any Decent IMAP server? [single-uid interface]

Ok here is my getpwnam replacement, this hack as it stands dosn't require
modifying the src for UW imapd. all you have to do is build it to an object
and link it with the imapd binary.




Index: [thread] [date] [subject] [author]